On Wed, Apr 21, 2021 at 02:40:38PM +0300, Leon Romanovsky wrote:
> @@ -303,20 +304,37 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
> struct ib_mad_agent *mad_agent;
> struct ib_mad_send_buf *m;
> struct ib_ah *ah;
> + int ret;
> +
> + read_lock(&cm_id_priv->av_rwlock);
> + if (!cm_id_priv->av.port) {
> + ret = -EINVAL;
> + goto out;
> + }
>
> mad_agent = cm_id_priv->av.port->mad_agent;
> + if (!mad_agent) {
> + ret = -EINVAL;
> + goto out;
> + }
> +
> ah = rdma_create_ah(mad_agent->qp->pd, &cm_id_priv->av.ah_attr, 0);
> - if (IS_ERR(ah))
> - return (void *)ah;
> + if (IS_ERR(ah)) {
> + ret = PTR_ERR(ah);
> + goto out;
> + }
>
> m = ib_create_send_mad(mad_agent, cm_id_priv->id.remote_cm_qpn,
> cm_id_priv->av.pkey_index,
> 0, IB_MGMT_MAD_HDR, IB_MGMT_MAD_DATA,
> GFP_ATOMIC,
> IB_MGMT_BASE_VERSION);
> +
> + read_unlock(&cm_id_priv->av_rwlock);
> if (IS_ERR(m)) {
> rdma_destroy_ah(ah, 0);
> - return m;
> + ret = PTR_ERR(m);
> + goto out;
> }
>
> /* Timeout set by caller if response is expected. */
> @@ -326,6 +344,10 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
> refcount_inc(&cm_id_priv->refcount);
> m->context[0] = cm_id_priv;
> return m;
> +
> +out:
> + read_unlock(&cm_id_priv->av_rwlock);
This flow has read_unlock happening twice on error
Jason
